Description
- Package Name: azure-cosmos
- Package Version: 4.9.0
- Operating System: Windows
- Python Version: 3.12.9
Describe the bug
I am trying to create a database programmatically using the azure-cosmos library. However, it consistently fails when I run client.create_database_if_not_exists(COSMOS_DB_NAME) with the following:
Code: Forbidden
Message: Request blocked by Auth archagent-cosmos : Request for Read DatabaseAccount is blocked because principal [ME] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write] on any scope. Learn more: https://aka.ms/cosmos-native-rbac. This could be because the user's group memberships were not present in the AAD token.
ActivityId: 27fcabd9-22a8-476c-8bce-acac6ec1f94c, Microsoft.Azure.Documents.Common/2.14.0
I have to create the database using the Azure CLI (which uses azure-cosmos 3.2.0) and then it succeeds because the "if_not_exists" means the creation is skipped. It then proceeds to happily create the containers and let me access them. But the fact that nothing I have done allows me to programmatically create the database has been unbelievably frustrating. I have wasted days trying to figure this out and have finally given up, assuming the SDK is broken.
Prior to these steps, I already assign "Cosmos DB Operator" to the resource group and the "Cosmos DB Built-in Data Contributor" to the Cosmos DB account via RBAC role assignments.
To Reproduce
Steps to reproduce the behavior:
Using the CosmosDB SDK (4.9.0)
- Create a resource group
- Create a cosmos db account with
disable_local_auth=True - Assign the random RBAC roles necessary. Force refresh the token and wait 10 min or so for roles to propagate.
- Try to create the database. It fails. Wait. It fails. Use Azure CLI and it works!
Expected behavior
I expect it to not error out and work.
Additional context
Local auth must be disabled. Not sure why that would matter, but in case it does.